最近发现机器状态非常奇怪，开机之后C盘的剩余空间会一直减少知道XP提示“空间不足”，然后突然就回复到正常剩余空间。
另外一个表现是：IE每次操作都会先假死一段时间
系统扫描结果如下,请帮忙看看，谢谢

HijackThis_zww汉化版扫描日志 V1.99.1
保存于20:12:53, 日期2005-12-16
操作系统：Windows XP SP2 (WinNT 5.01.2600)
浏览器：Internet Explorer v6.00 SP2 (6.00.2900.2180)

当前运行的进程：
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
D:\Develop\Subversion\SourceSafe\bin\SVNService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
D:\Develop\Subversion\SourceSafe\bin\svnserve.exe
D:\Tools\UPHClean\uphclean.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\system32\nutsrv4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\TEMP\HL459.EXE
C:\WINDOWS\SOUNDMAN.EXE
D:\Tools\D-Tools\daemon.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
D:\Tools\Babylon\Babylon.exe
D:\Tools\TotalCmd\TOTALCMD.EXE
C:\WINDOWS\system32\internat.exe
D:\Tools\ATnotes\ATnotes.exe
D:\Web\MSNShell\BIN\MSNShell.exe
D:\Web\Microsoft Firewall Client\ISATRAY.EXE
D:\Tools\Rainlendar\Rainlendar.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\JJOL\IME\JJSvr.EXE
C:\WINDOWS\system32\taskmgr.exe
D:\Web\Maxthon\Maxthon.exe
D:\Develop\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
D:\Tools\Hijackthis\HijackThis1991汉化版\HijackThis1991zww.exe
d:\Microsoft Office\OFFICE11\OUTLOOK.EXE

R3 - 默认的URLSearchHook丢失。用HijackThis修复
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Tools\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Tools\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\Web\NetTransport 2\NTIEHelper.dll
O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - D:\Develop\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O3 - IE工具栏增项: CyberArticle Express - {769A6A36-ED24-4376-BC7C-80225BF35698} - D:\Web\CyberArticle\CAExp.dll
O3 - IE工具栏增项: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Tools\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - IE工具栏增项: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - D:\Develop\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O4 - 启动项HKLM\\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - 启动项HKLM\\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - 启动项HKLM\\Run: [SoundMan] SOUNDMAN.EXE
O4 - 启动项HKLM\\Run: [DAEMON Tools-1033] "D:\Tools\D-Tools\daemon.exe"  -lang 1033
O4 - 启动项HKLM\\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - 启动项HKLM\\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - 启动项HKLM\\Run: [pdfFactory Pro 分配器 v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /runonce
O4 - 启动项HKLM\\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - 启动项HKLM\\Run: [gcasServ] "D:\Webs\Microsoft AntiSpyware\gcasServ.exe"
O4 - 启动项HKLM\\Run: [Babylon Client] D:\Tools\Babylon\Babylon.exe -AutoStart
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [ATnotes.exe] D:\Tools\ATnotes\ATnotes.exe
O4 - HKCU\..\Run: [MSNShell] D:\Web\MSNShell\BIN\MSNShell.exe autorun
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HI0_B.lnk = ?
O4 - Startup: Rainlendar.lnk = D:\Tools\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Tools\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = D:\Web\Microsoft Firewall Client\ISATRAY.EXE
O8 - IE右键菜单中的新增项目: 保存: 完整网页... - D:\Web\CyberArticle\script\Save.htm
O8 - IE右键菜单中的新增项目: 保存: 更多保存内容... - D:\Web\CyberArticle\script\SaveAuto.htm
O8 - IE右键菜单中的新增项目: 定位查看 GPS 卫星地图 - D:\Tools\IExif 2.25\IExifMap.htm
O8 - IE右键菜单中的新增项目: 查看 Exif/GPS/IPTC 信息 - D:\Tools\IExif 2.25\IExifCom.htm
O9 - 浏览器额外的按钮: (no name) - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSAssist\MMSAssist.dll (file missing)
O9 - 浏览器额外的“工具”菜单项: MMSAssist工具条设置 - {6671A433-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSAssist\MMSAssist.dll (file missing)
O16 - DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} (Edit Class) - https://www.sz1.cmbchina.com/download/CMBEdit.cab
O16 - DPF: {E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} (Rising Web Scan Object) - http://download.rising.com.cn/register/pcver/autoupgradepad/Ver2005/OL2005.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BQC.CORP.COM
O17 - HKLM\Software\..\Telephony: DomainName = BQC.CORP.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BQC.CORP.COM
O18 - 列举现有的协议: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - 列举现有的协议: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - 列举现有的协议: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - 列举现有的协议: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - 列举现有的协议: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - 列举现有的协议: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - 列举现有的协议: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - 列举现有的协议: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - 列举现有的协议: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll
O18 - 列举现有的协议: ipp - (no CLSID) - (no file)
O18 - 列举现有的协议: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - 列举现有的协议: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - 列举现有的协议: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - 列举现有的协议: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - 列举现有的协议: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll
O18 - 列举现有的协议: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - 列举现有的协议: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - 列举现有的协议: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - 列举现有的协议: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - 列举现有的协议: msdaipp - (no CLSID) - (no file)
O18 - 列举现有的协议: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - 列举现有的协议: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - 列举现有的协议: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
O18 - 列举现有的协议: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - 列举现有的协议: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll
O18 - 列举现有的协议: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - 列举现有的协议: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - 列举现有的协议: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - NT 服务: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - NT 服务: ColdFusion MX ODBC Agent - Unknown owner - D:\Develop\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\db\slserver52\bin\swagent.exe
O23 - NT 服务: ColdFusion MX ODBC Server - Unknown owner - D:\Develop\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\db\slserver52\bin\swstrtr.exe
O23 - NT 服务: Macromedia JRun Admin Server - Macromedia Inc. - D:\Develop\JRun4\bin\jrunsvc.exe
O23 - NT 服务: Macromedia JRun CFusion Server - Macromedia Inc. - D:\Develop\JRun4\bin\jrunsvc.exe
O23 - NT 服务: Macromedia JRun Default Server - Macromedia Inc. - D:\Develop\JRun4\bin\jrunsvc.exe
O23 - NT 服务: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - NT 服务: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - NT 服务: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - NT 服务: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe
O23 - NT 服务: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - NT 服务: OracleMTSRecoveryService - Oracle Corporation - D:\oracle\ora92\bin\omtsreco.exe
O23 - NT 服务: OracleOraHome92ClientCache - Unknown owner - D:\oracle\ora92\BIN\ONRSD.EXE
O23 - NT 服务: SVNService - Clansoft - D:\Develop\Subversion\SourceSafe\bin\SVNService.exe
O23 - NT 服务: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

把系统还原关了．
O23 - NT 服务: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe
这个是什么？

C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\system32\mqsvc.exe
这两个也有问题

【回复“provider”的帖子】
C:\WINDOWS\system32\nutsrv4.exe
如果能找到这个文件，请打包，发到：baohelin@yahoo.com.cn

修复所有O15

引用:

【闪电风暴的贴子】C:\WINDOWS\System32\mnmsrvc.exe C:\WINDOWS\system32\mqsvc.exe 这两个也有问题 ...........................

mnmsrvc.exe是NetMeeting的
mqsvc.exe也是系统自带的Message Queue

引用:

【baohe的贴子】【回复“provider”的帖子】 C:\WINDOWS\system32\nutsrv4.exe 如果能找到这个文件，请打包，发到：baohelin@yahoo.com.cn 修复所有O15 ...........................

根据这个说明，看起来不像是病毒。不过明天我会打开那台机器把这个程序发给你的，谢谢回复

nutsrv4 - nutsrv4.exe - Process Information
Process File: nutsrv4 or nutsrv4.exe
Process Name: NuTCRACKER 4
 
Description:
nutsrv4.exe is a process belonging to NuTCRACKER 4 which adds Linux functionalities to your Windows based operating system. This program is important for the stable and secure running of your computer and should not be terminated.
For More Information About nutsrv4.exe - Get WinTasks 5 Pro Now!

Recommendation for nutsrv4.exe:
Should not be disabled, required for essential applications to work properly.
To get control over your running programs we suggest WinTasks 5 Pro


Author: DataFocus
Part Of: NuTCRACKER 4

【回复“provider”的帖子】
今天找到问题了 C:\WINDOWS\TEMP\HL459.EXE 这种是OfficeScan生成的。在启动的时候，杀掉这个进程就不出现问题了。晕倒～这个破杀毒软件